Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key - - PowerPoint PPT Presentation

Dennis Hofheinz (KIT, Karlsruhe)

Adaptive partitioning

Public-Key Encryption

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Adversary A Challenger pk m0,m1 Enc(pk,mb) b' Dec(sk,·)

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

Adversary A Challenger pk m0,m1 Enc(pk,mb) b' Dec(sk,·)

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Observation: covers only 1-user, 1-ciphertext scenario

Adversary A Challenger pk m0,m1 Enc(pk,mb) b' Dec(sk,·)

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Observation: covers only 1-user, 1-ciphertext scenario

–

Hybrid argument → multi-user, multi-ciphertext security

Adversary A Challenger pk m0,m1 Enc(pk,mb) b' Dec(sk,·)

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Observation: covers only 1-user, 1-ciphertext scenario

–

Hybrid argument → multi-user, multi-ciphertext security

–

But: security guarantees may degrade in scenario size

Adversary A Challenger pk m0,m1 Enc(pk,mb) b' Dec(sk,·)

Public-Key Encryption

• Accepted security notion: chosen-ciphertext security (IND-CCA)

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Observation: covers only 1-user, 1-ciphertext scenario

–

Hybrid argument → multi-user, multi-ciphertext security

–

But: security guarantees may degrade in scenario size

–

So: scenario size may influence keylength recommendations

Adversary A Challenger pk m0,m1 Enc(pk,mb) b' Dec(sk,·)

This talk

This talk

• Tightly secure PKE: multi-challenge IND-CCA

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

pk m0,m1 Enc(pk,mb) b' Dec(sk,·) repeat Adversary A Challenger

This talk

• Tightly secure PKE: multi-challenge IND-CCA

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Goal: tight reduction to standard assumption (e.g., DDH)

pk m0,m1 Enc(pk,mb) b' Dec(sk,·) repeat Adversary A Challenger

This talk

• Tightly secure PKE: multi-challenge IND-CCA

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Goal: tight reduction to standard assumption (e.g., DDH)

–

Tight: reduction loss independent of # ciphertexts/queries

pk m0,m1 Enc(pk,mb) b' Dec(sk,·) repeat Adversary A Challenger

This talk

• Tightly secure PKE: multi-challenge IND-CCA

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Goal: tight reduction to standard assumption (e.g., DDH)

–

Tight: reduction loss independent of # ciphertexts/queries

–

Enables security guarantees for arbitrary/unknown scenarios

pk m0,m1 Enc(pk,mb) b' Dec(sk,·) repeat Adversary A Challenger

This talk

• Tightly secure PKE: multi-challenge IND-CCA

Adv(A) = Pr [ b = b' ] – 1/2, should be negligible

• Goal: tight reduction to standard assumption (e.g., DDH)

–

Tight: reduction loss independent of # ciphertexts/queries

–

Enables security guarantees for arbitrary/unknown scenarios

• Difficulty: standard techniques yield non-tight reductions

pk m0,m1 Enc(pk,mb) b' Dec(sk,·) repeat Adversary A Challenger

Tight CCA security

Tight CCA security

• Tightly secure PKE: multi-challenge IND-CCA
• Standard techniques yield non-tight reductions, examples:

m0

(1),m1 (1)

C(1)=Enc(pk,mb

(1))

m0

(Q),m1 (Q)

C(Q)=Enc(pk,mb

(Q))

… Challenger Adversary A

Tight CCA security

• Tightly secure PKE: multi-challenge IND-CCA
• Standard techniques yield non-tight reductions, examples:

–

IBE: reduction knows "punctured" sk, randomize one C(i)

m0

(1),m1 (1)

C(1)=Enc(pk,mb

(1))

m0

(Q),m1 (Q)

C(Q)=Enc(pk,mb

(Q))

… Challenger Adversary A

Tight CCA security

• Tightly secure PKE: multi-challenge IND-CCA
• Standard techniques yield non-tight reductions, examples:

–

IBE: reduction knows "punctured" sk, randomize one C(i)

–

HPS: reduction knows full sk, entropy in sk randomizes one C(i)

m0

(1),m1 (1)

C(1)=Enc(pk,mb

(1))

m0

(Q),m1 (Q)

C(Q)=Enc(pk,mb

(Q))

… Challenger Adversary A

Tight CCA security

• Tightly secure PKE: multi-challenge IND-CCA
• Standard techniques yield non-tight reductions, examples:

–

IBE: reduction knows "punctured" sk, randomize one C(i)

–

HPS: reduction knows full sk, entropy in sk randomizes one C(i)

–

NY (double encryption with consistency proof): make one C(i) "special" (with simulated proof), requires simulation-soundness

• Difficulty: simulation-soundness in face of many simulated proofs

m0

(1),m1 (1)

C(1)=Enc(pk,mb

(1))

m0

(Q),m1 (Q)

C(Q)=Enc(pk,mb

(Q))

… Challenger Adversary A

Previous work / contribution

Previous work / contribution

Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

Previous work / contribution

• This work: not yet practical, but conceptual progress

Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

Previous work / contribution

• This work: not yet practical, but conceptual progress

–

Generic new techniques to randomize challenge ciphertexts

Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

Previous work / contribution

• This work: not yet practical, but conceptual progress

–

Generic new techniques to randomize challenge ciphertexts

–

Yields first DCR-based tightly secure PKE scheme

Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

Previous work / contribution

• This work: not yet practical, but conceptual progress

–

Generic new techniques to randomize challenge ciphertexts

–

Yields first DCR-based tightly secure PKE scheme

• Remaining talk: overview over new techniques

Scheme |pk| |C| (KEM) Loss Assumption CS98/BBM00 3 3 O(Q) DDH KD04/BBM00 2 2 O(Q) DDH CS03 3 2 O(Q) DCR HJ12 O(1) O(λ) O(1) DLIN (PFG) LPJY15 O(λ) 47 O(λ) DLIN (PFG) H16 2 60 O(λ) DLIN (PFG) GHKW16 2λ 3 O(λ) DDH This work 24 6 O(λ) DLIN (PFG) This work 20 30 O(λ) DCR

Basic strategy

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Basic strategy

• This work: not yet practical, but conceptual progress

– Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme

• Remaining talk: overview over new techniques
• Starting point: Naor-Yung double encryption:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Basic strategy

• This work: not yet practical, but conceptual progress

– Generic new techniques to randomize challenge ciphertexts – Yields first DCR-based tightly secure PKE scheme

• Remaining talk: overview over new techniques
• Starting point: Naor-Yung double encryption:

Consistency proof: proves that M0=M1

Naor-Yung encryption

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges

NIZK ind.

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges

NIZK ind. CPA

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries)

NIZK ind. CPA sim-snd

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges

NIZK ind. CPA CPA sim-snd

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges

• Difficulty outsourced into simulation-sound NIZK proofs π

(many-challenge setting, with tight security reduction) NIZK ind. CPA CPA sim-snd

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Naor-Yung encryption

• One (known) way to prove Naor-Yung secure:

0) IND-CCA experiment (many challenges), use sk0 to decrypt 1) simulate all proofs π (using NIZK simulator) in challenges 2) randomize all M1 in challenges 3) use sk1 (not sk0) to decrypt (in decryption queries) 4) randomize all M0 in challenges

• Difficulty outsourced into simulation-sound NIZK proofs π

(many-challenge setting, with tight security reduction) NIZK ind. CPA CPA sim-snd

This work: New randomization strategy/ New way to prove NY in multi-challenge setting

Recap: hash proof systems

Recap: hash proof systems

• Ingredient: hash proof systems (designated-verifier NIZKs):

Prover Verifier

(knows hpk) (knows hsk)

(x,π)

Recap: hash proof systems

• Ingredient: hash proof systems (designated-verifier NIZKs):

Prover Verifier

(knows hpk) (knows hsk)

– Unique proofs for x L, can be computed in two ways:

∊ π = hpk(x,w) = hsk(x)

(x,π)

Recap: hash proof systems

• Ingredient: hash proof systems (designated-verifier NIZKs):

Prover Verifier

(knows hpk) (knows hsk)

– Unique proofs for x L, can be computed in two ways:

∊ π = hpk(x,w) = hsk(x)

– NIZK simulator uses secret key hsk to compute π

(x,π)

Recap: hash proof systems

• Ingredient: hash proof systems (designated-verifier NIZKs):

Prover Verifier

(knows hpk) (knows hsk)

– Unique proofs for x L, can be computed in two ways:

∊ π = hpk(x,w) = hsk(x)

– NIZK simulator uses secret key hsk to compute π – Statistical soundness:

• if only proofs for true statements x known…

… then any proof π for false x inf.th. hidden

(x,π)

Recap: hash proof systems

• Ingredient: hash proof systems (designated-verifier NIZKs):

Prover Verifier

(knows hpk) (knows hsk)

– Unique proofs for x L, can be computed in two ways:

∊ π = hpk(x,w) = hsk(x)

– NIZK simulator uses secret key hsk to compute π – Statistical soundness:

• if only proofs for true statements x known…

… then any proof π for false x inf.th. hidden

• Efficient HPSs for linear [CS02] and OR-languages [ABP15] known

(x,π)

Idea for our proof system (uses HPSs)

Idea for our proof system (uses HPSs)

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Idea for our proof system (uses HPSs)

• Structure of π:

, where C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ))

Idea for our proof system (uses HPSs)

• Structure of π:

, where

– τ is a random bit (similar to Katz-Wang signature scheme)

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ))

Idea for our proof system (uses HPSs)

• Structure of π:

, where

– τ is a random bit (similar to Katz-Wang signature scheme) – π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)

∨

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ))

Idea for our proof system (uses HPSs)

• Structure of π:

, where

– τ is a random bit (similar to Katz-Wang signature scheme) – π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)

∨

– π1 is a HPS proof (under hsk1) for (M0=M1 τ=1)

∨

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ))

Idea for our proof system (uses HPSs)

• Structure of π:

, where

– τ is a random bit (similar to Katz-Wang signature scheme) – π0 is a HPS proof (under hsk0) for (M0=M1 τ=0)

∨

– π1 is a HPS proof (under hsk1) for (M0=M1 τ=1)

∨

• Simulated π for bad C breaks only hsk1-τ (but not hskτ)

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) π = (π0, π1, Com(τ))

Adaptive partitioning

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5)

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) τ=0 τ=1

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) τ=0 τ=1 C(5) C(1) C(2)

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C(5) C(1) C(2) τ=0 τ=1

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C(5) C(1) C(2) τ=0 τ=1 C(Q)

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C(5) C(1) C(2) C(Q)

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C(5) C(1) C(2) C(Q) C(10)

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Randomization strategy:
• Requires O(λ) steps

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C(5) C(1) C(2) C(Q) C(10)

Adaptive partitioning

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)

(This means adversary breaks soundness of hsk1-τ*) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)

(This means adversary breaks soundness of hsk1-τ*)

• Step 2: randomize all challenge ciphertexts with τ=1-τ*

(This allows to randomize half of all challenge ciphertexts) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)

(This means adversary breaks soundness of hsk1-τ*)

• Step 2: randomize all challenge ciphertexts with τ=1-τ*

(This allows to randomize half of all challenge ciphertexts)

• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Step 1: guess τ* (τ of first Dec-query with valid π and M0≠M1)

(This means adversary breaks soundness of hsk1-τ*)

• Step 2: randomize all challenge ciphertexts with τ=1-τ*

(This allows to randomize half of all challenge ciphertexts)

• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges)

• Difference to [KW03]: KW keep τ public (but simulation capabilities hidden)

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Adaptive partitioning

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Illustration:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C*

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Illustration:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C* τ=0 τ=1

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Illustration:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C* τ=0 τ=1 C(5) C(1) C(2)

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Illustration:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C* C(5) C(1) C(2) τ=0 τ=1

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Illustration:

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π ) C(1) C(Q) C(10) C(2) C(5) C* C(5) C(1) C(2) τ=0 τ=1 C(Q)

Adaptive partitioning

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Omitted difficulty: how does this re-partitioning work?
• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Omitted difficulty: how does this re-partitioning work?
• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges)

–

Problem: how to manage/recall what is randomized

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Omitted difficulty: how does this re-partitioning work?
• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges)

–

Problem: how to manage/recall what is randomized

–

Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Omitted difficulty: how does this re-partitioning work?
• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges)

–

Problem: how to manage/recall what is randomized

–

Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)

• Remaining problem: efficient HPSs for OR-proofs

C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

π = (π0, π1, Com(τ))

Adaptive partitioning

π0 proves (M0=M1 τ=0) under hsk ∨ π1 proves (M0=M1 τ=1) under hsk ∨

1

• Omitted difficulty: how does this re-partitioning work?
• Step 3: re-randomize partitioning bit τ in challenges, then goto 1

(Prepare to randomize one half of another random partition of challenges)

–

Problem: how to manage/recall what is randomized

–

Solution idea: in i-th randomization cycle, use i-th bit of H(C0,C1)

• Remaining problem: efficient HPSs for OR-proofs

–

In pairing-friendly groups: [ABP15]

–

In DCR setting: new proof system (uses that we can compute dlogs in DCR) C = ( C0=Enc(pk0,M0), C1=Enc(pk1,M1), π )

Summary

Summary

• New strategy to obtain tightly IND-CCA secure PKE schemes

Summary

• New strategy to obtain tightly IND-CCA secure PKE schemes
• Core difference to previous approaches: decide adaptively which

ciphertexts are to be randomized in each randomization cycle

Summary

• New strategy to obtain tightly IND-CCA secure PKE schemes
• Core difference to previous approaches: decide adaptively which

ciphertexts are to be randomized in each randomization cycle

• Main benefit: DCR-based solution (using new OR-proofs)

Summary

• New strategy to obtain tightly IND-CCA secure PKE schemes
• Core difference to previous approaches: decide adaptively which

ciphertexts are to be randomized in each randomization cycle

• Main benefit: DCR-based solution (using new OR-proofs)
• Follow-up work shows potential of ideas

Summary

• New strategy to obtain tightly IND-CCA secure PKE schemes
• Core difference to previous approaches: decide adaptively which

ciphertexts are to be randomized in each randomization cycle

• Main benefit: DCR-based solution (using new OR-proofs)
• Follow-up work shows potential of ideas

–

Compact tightly secure PKE from DDH

–

Compact tightly secure structure-preserving signatures